From 3f4c92860c987fdcc7499255b32298a19daa7998 Mon Sep 17 00:00:00 2001 From: Kiril Kartunov Date: Fri, 12 Dec 2025 08:48:07 +0200 Subject: [PATCH 1/3] Potential fix for code scanning alert no. 71: Incomplete string escaping or encoding Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- src/apps/review/src/lib/utils/metadataMatching.ts | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/apps/review/src/lib/utils/metadataMatching.ts b/src/apps/review/src/lib/utils/metadataMatching.ts index e41c6fd58..aa18006f1 100644 --- a/src/apps/review/src/lib/utils/metadataMatching.ts +++ b/src/apps/review/src/lib/utils/metadataMatching.ts @@ -112,9 +112,14 @@ export function findMetadataPhaseMatch( return { source: 'stringExact' } } - const escapedTarget = escapeRegexLiteral(target) - .replace(/ /g, '\\ ') - const sepInsensitive = new RegExp(`\\b${escapedTarget.replace(/\\ /g, '[-_\\s]+')}\\b`) + // Replace all sequences of space, underscore, or hyphen in the target with a placeholder + const WORDSEP_PLACEHOLDER = '__WORDSEP__'; + const sepPattern = /[ \-_]+/g; + const targetWithPlaceholder = target.replace(sepPattern, WORDSEP_PLACEHOLDER); + // Properly escape ALL regex metacharacters (including backslash), leaving the placeholder intact + const escapedTarget = escapeRegexLiteral(targetWithPlaceholder) + .replace(new RegExp(escapeRegexLiteral(WORDSEP_PLACEHOLDER), 'g'), '[-_\\s]+'); + const sepInsensitive = new RegExp(`\\b${escapedTarget}\\b`); if (sepInsensitive.test(normalizedMetadata)) { return { source: 'stringBoundary' } } From 020c2300b7303c6627503afe108d66bc53fc1dd9 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 12 Dec 2025 06:56:28 +0000 Subject: [PATCH 2/3] Initial plan From 6bd27a917976691037302ae3cab29d7f0e408564 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 12 Dec 2025 07:02:31 +0000 Subject: [PATCH 3/3] Fix ESLint semicolon errors in metadataMatching.ts Co-authored-by: kkartunov <5585002+kkartunov@users.noreply.github.com> --- src/apps/review/src/lib/utils/metadataMatching.ts | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/apps/review/src/lib/utils/metadataMatching.ts b/src/apps/review/src/lib/utils/metadataMatching.ts index aa18006f1..2279bfe00 100644 --- a/src/apps/review/src/lib/utils/metadataMatching.ts +++ b/src/apps/review/src/lib/utils/metadataMatching.ts @@ -113,13 +113,13 @@ export function findMetadataPhaseMatch( } // Replace all sequences of space, underscore, or hyphen in the target with a placeholder - const WORDSEP_PLACEHOLDER = '__WORDSEP__'; - const sepPattern = /[ \-_]+/g; - const targetWithPlaceholder = target.replace(sepPattern, WORDSEP_PLACEHOLDER); + const WORDSEP_PLACEHOLDER = '__WORDSEP__' + const sepPattern = /[ \-_]+/g + const targetWithPlaceholder = target.replace(sepPattern, WORDSEP_PLACEHOLDER) // Properly escape ALL regex metacharacters (including backslash), leaving the placeholder intact const escapedTarget = escapeRegexLiteral(targetWithPlaceholder) - .replace(new RegExp(escapeRegexLiteral(WORDSEP_PLACEHOLDER), 'g'), '[-_\\s]+'); - const sepInsensitive = new RegExp(`\\b${escapedTarget}\\b`); + .replace(new RegExp(escapeRegexLiteral(WORDSEP_PLACEHOLDER), 'g'), '[-_\\s]+') + const sepInsensitive = new RegExp(`\\b${escapedTarget}\\b`) if (sepInsensitive.test(normalizedMetadata)) { return { source: 'stringBoundary' } }